Re: Security vulnerability in automake

["Lawrence Teo" <lteo_list at hotmail dot com>]

Dear Allan,

I agree with you on many points but I still think this is an issue.

Yes, people like you and me don't build stuff as root, because we're aware 
of the security issues behind this. However, "normal" users like newbie 
admins probably don't.

Yes, standard users cannot overwrite /etc/passwd. But let's say we have a 
newbie admin who always builds and installs his stuff like this:

$ su -
# cd /tmp
# tar zxvf package-1.0.0.tar.gz
# cd package-1.0.0
# ./configure
# make
# make install

If an attacker observes this behavior, the attacker may do this:

$ cd /tmp
$ mkdir package-1.0.0
$ cd package-1.0.0
$ ln -s /etc/passwd dummy-7836.c

..and wait for the newbie admin to build his package. If config.guess 
happens to run as PID 7836, /etc/passwd is hosed.

Yes, the vulnerability would still be there even with a random hashed name. 
But it would be much, much harder for an attacker to exploit that, 
especially if we use a good hashing algorithm. It's almost impossible to 
guess dummy-7836-2c7f55d3aae7037c094b116d7b257b89.c compared to 
dummy-7836.c.

My point is, if config.guess can be hardened against such potential symlink 
attacks, why shouldn't it be? Of course, it would be great to educate all 
admins not to build stuff as root. But it would also be a responsible thing 
to fix config.guess if we know that there's a potential issue in there.

Here's an analogy: we used to have unshadowed /etc/passwd files a long time 
ago. To improve security, we introduced shadowed password files. This won't 
prevent an admin from using a weak password like "hello" in both scenarios. 
In the case of the unshadowed password file, it's easy for an attacker to 
run a dictionary attack against it and retrieve the weak password. However, 
it's much harder for an attacker to guess a password because of an 
inaccessible shadowed password file, even if the password is weak.

Likewise, having a "hardened" config.guess file would not necessarily 
prevent symlink attacks, but it'll definitely make it much harder for an 
attacker to exploit it, even if the admin is sloppy.

Lawrence



> From: Allan Clark <allanc@caldera.com>
> To: Lawrence Teo <lteo_list@hotmail.com>
> CC: automake@gnu.org
> Subject: Re: Security vulnerability in automake
> Date: Sun, 09 Jun 2002 01:20:01 -0700
>
> This is really not an issue; standard users cannot overwrite /etc/passwd
>
> You don't compile/install unknown software as root, do you?  If so, then
> my configure file says this:
> date > /etc/passwd
>
> Sure, this could be replaced with a hashed random name, but the same
> vulnerability remains.  Don't build as root?
>
> Allan
>
>
> Lawrence Teo wrote:
>
> > I was learning Automake last night, and I think I found a security
> > vulnerability. I'm not sure if this is already known, but I couldn't
> > find it on Bugtraq. The security vulnerability is the insecure
> > creation of temporary files in the config.guess script which leads
> > to a race condition.
> >
> > In the config.guess script, there's a line that says:
> >
> > dummy=dummy-$$
> >
> > And further down...
> >
> > echo "int dummy(){}" > $dummy.c ;
> >
> > An attacker can create a number of symbolic links called
> > dummy-PID.c pointing to important files like /etc/passwd. PID in
> > this case would be the attacker's guesses on what the PID of the
> > config.guess script will run as. If root runs ./configure in a
> > source tree containing these malicious symlinks, and if the
> > configure script in turn runs config.guess, the /etc/passwd file
> > may potentially be overwritten with "int dummy(){}", resulting in
> > a denial of service attack.
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx